CVE-2017-16543
published 2017-11-05CVE-2017-16543: Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or…
PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.56%
91.9th percentile
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_applications_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /GraphicalView.do with method=saveBusinessViewPropsForADDM containing a viewProps parameter with a yCanvas field — the yCanvas value is the SQL injection point. ↗
- →Detect POST requests to /manageApplications.do?method=insert with a crafted name= parameter as an additional SQL injection vector in the same application. ↗
- →The exploit uses X-Requested-With: XMLHttpRequest header on requests to /GraphicalView.do — correlate this with anomalous SQL payloads in POST body to reduce false positives. ↗
- →These are post-authentication SQL injection vulnerabilities; presence of a valid JSESSIONID_APM_9090 cookie alongside injection payloads indicates an authenticated attacker or stolen session. ↗
- ·Vulnerabilities are post-authentication only; exploitation requires a valid authenticated session (JSESSIONID_APM_9090 cookie). Unauthenticated access alone is not sufficient. ↗
- ·Affected versions are ManageEngine Applications Manager 13 builds prior to 13500 only. Build 13500 and later are patched. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://code610.blogspot.com/2017/11/sql-injection-in-manageengine.htmlhttps://www.exploit-db.com/exploits/43129/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16543.htmlhttp://code610.blogspot.com/2017/11/sql-injection-in-manageengine.htmlhttps://www.exploit-db.com/exploits/43129/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2017-16543.html
2017-11-05
Published